Business travel

Hotel-room hacks

Picking the lock

LAST MONTH Cody Brocious, a software developer for Mozilla, the company that makes the Firefox web browser, appeared at a hacking conference in Las Vegas to demonstrate a security flaw in hotel-room locks manufactured by a company called Onity. Mr Brocious's paper on the flaw is available on his website, but suffice it to say that using a $30 microcontroller that he plugs into an open port at the bottom of the hotel room locks, he can access what may be as many as millions of hotel rooms worldwide.

ExtremeTech's Sebastian Anthony calls this a "stupendously disgusting lack of security" and argues that "for a company that is tasked with securing millions of humans every night...it would’ve been nice if Onity had shown slightly more foresight."

Now that Mr Brocious's hack is public, Onity has had no choice but to start dealing with it. The hacker did not explain the flaw to the company in advance of revealing it to the public, a decision he told Forbes was because he saw "no path to mitigate this from Onity's side." To fix the problem, the locks' entire circuitboard has to be replaced—and on millions of locks, that's a process that could take a long time.

On Saturday, we learned what Onity is doing to deal with this flaw: as the Verge's Bryan Bishop reports, the company is offering hotels two solutions. The first is a mechanical fix that does not actually repair the software vulnerability: Onity will provide hotels with caps for the open ports on its locks, along with a security screw. Together, that solution will mean that potential hackers will have to partially dismantle the lock to get at the open port. The mechanical caps are free. The second solution, though—and the only one that actually fixes the software problem—is far from free. Here's an excerpt from a statement the company released last week:

The second solution Onity will offer to our customers, if they choose to use this option, is to upgrade the firmware of the HT and ADVANCE series locks. The firmware is currently complete for the HT24 lock, and by early next week should be complete for the entire HT series of locks. By the end of August we should have the firmware complete for the ADVANCE lock as well.

The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.

It's good to see that Onity is taking steps to repair this vulnerability. But business travellers should be aware that hotels secured with Onity-brand locks that have open ports on the bottom may be hackable for some time to come. And it's easy to see how a mistake like this could be devastating for Onity's brand. Why would hotels pay to upgrade their vulnerable Onity locks to newer, supposedly unhackable Onity locks when they could switch to a different manufacturer entirely?

As a company that's selling security, Onity should be held liable for all thefts and the entire cost of retrofits to yield at least a modicum of security, which their current products clearly lack. Since innkeepers prominently serve notice of their lack of liability for their guests' belongings or safety, they will not be motivated to fix this security breach unless their guests vote with their feet.

How can we identify hotels and motels with Onity "locks" to avoid staying there? If faced with an Onity "lock" on one's door for the night, should one simply plug the access hole beneath the door handle with chewing gum? Would Crazy Glue or epoxy work better?

The room "safes" are just as easy to open for hotel employees with their little dongles; are they just as easy to hack as Onity "locks"?

lilly i understand where you are coming from. but the track record of contacting companies before outing them for poor security shows that the companies dont care enough to fix the issue until there is some public alarm

Mojos said
"It's rather naive as a traveler (business or not) to assume that your hotel room is safe to begin with."
.
Absolutely true.
But he also said:
"There's usually a room safe to take care of your valuables"
.
And you imagine that such a safe is secure?
Oh dear! Oh dear! WRONG
.
Simple & effective measures to protect your stuff include:
- travel with the minimum of stuff you can't afford to lose.
- Use hotel's main safe for passports & such (that you won't need during your stay)
- bring your own "safe bag" (eg Paksafe) for locking to an immovable object and storing phone, camera, credit cards, memory sticks. Yes, such bags can be attacked: but a) thief would need certain tools; b) if bag is hidden thief may well overlook it.
- use a keyed cable lock (such as Kensington) for your laptop - and keep laptop properly backed up daily(eg to a memory stick, the cloud.) Again, it could be attacked, hide it!
- jewellery, fancy watches, luxury suitcases, even designer pens merely make you a target. Ditto the ladies' designer clothes & shoes. Leave them at home.
- if you can achieve it, don't be a mug for designer brands: today an £80 Android phone performs as well & is less irresistible to thieves than your Ithing. Ditto tablets/laptops.

Implementing the software requires skill but somebody has already taken care of that - Cody has published the software on his web site.

All that's necessary to use this exploit is to get yourself an Arduino (they're available cheaply everywhere, not particularly hard). It's also not inconceivable that somebody would create pre-assembled kits.

Creating these $50 devices might require a person with a technical background; however, anybody can use them to open doors. Picking a single lock still requires a skilled lockpicker.

Much as I would like to follow your advice, it's not very practical. For example, when travelling abroad, you really can't afford to lose your passport, but you don't have a choice about taking it with you.
There are plenty of other items that you have to take that you really wouldn't want to lose. For example, losing your laptop, even if affordable financially, is a massive hassle. But going without it is almost certainly not an option. Ditto keys, credit cards, mobile phone...

Exactly. Few big companies really want to know about genuine problems with their products. There are lots of reasons. One is probably simple human embarrassment, but a big one is fear of legal liability, which takes many forms. They may hope they can prove that there isn't really a problem, and avoid responsibility altogether. They may still believe in security via secrecy (hide the product's vulnerabilities and hope nobody finds them) rather than security via open-source designs and public key encryption, where the only secret is the private encryption key. But another big reason tech companies don't want to even talk to outsiders is that they're afraid if they do, they will have intellectual property law obligations to them. This is why big companies immediately round-file or return any product idea sent by a garage-shop "inventor". If the "inventor" happens to mention something that the company is actually working on, he might later claim the company has stolen his invention. I suspect that merely talking to an outside engineer about a product vulnerability is something that makes the legal department very nervous.

To somebody considering revealing a potentially expensive and maybe even brand-killing fault in a big company's product, there's also the decidedly non-zero probability that the company, in a panic or an attempt to buy time and control the message, will stop at nothing in order to silence the whistle-blower. A threat of a massive lawsuit for theft of trade secrets, for example, would give the average private individual serious pause.

No, Cody Brocious did exactly the right thing here -- reveal the flaw to the world and to the manufacturer simultaneously. By doing so, he ensured that the company has to deal with it, and he also did the best he could to protect himself against any retaliatory lawsuits or other threats since anything the company tried to do to him now would immediately be public and would further devalue their brand and their reputation.

After reading this, I feel very irritable. Cody, the young man from Mozilla who found the vulnerability in the Onity lock mechanism, should have made at least one attempt to contact Onity. He should have done so PRIOR to presenting his findings at, of all places and venues, the most well-known, biggest, baddest information security convention in the world! Give Onity a chance to determine whether or not the problem were insoluble!

Usual protocol seems to be this: Report the problem to the company and wait a few days. If there is no response nor remediation of the vulnerability, write a blog post about the situation, or send a signed write-up to an infosec professionals' forum or such. Discretely.

I have a certain amount of sympathy for Cody though. Two reasons: First, it isn't always so easy to contact a company when you find a problem. I find things, now and then, and sometimes worry that by disclosing the information, I will bring trouble to myself (never actually happened to me personally). I have observed incidents when individuals do report problems, usually about software or network security, and instead of being thanked and wishes respected e.g. for anonymity, well, the very opposite. This is NOT a common occurrence with reputable or established organizations though! Well-run companies make it very easy to report problems, in my experience.

Second reason: The culture of rewarding people for finding security vulnerabilities with cash might have unintended consequences e.g. Google Chrome's browser (or O/S?) vulnerability competition. It was well intended, but I worry. Unfortunately it seems like an open season on finding and broadcasting security problems lately.

As another comment remarked, anything can be broken. Hotel room locks need not be unbreakable, they only need to be secure enough to serve their purpose. Here's a far worse scenario: Because of this hue and cry about Onity locks and Cody's presentation at Black Hat, hotels will remove Onity locks and replace them with... what? Something BETTER? Or merely something ELSE, which might be less costly, and less secure than the Onity lock was. That is the outcome that worries me.